Wie gesagt, es ist einfach ein Problem mit den Forks und den derivation paths. Ich seh das nicht als gravierende Schwachstelle.
Nach meinen Berechnungen ergibt das einen CVSS Score von 6.6 und wird damit als Medium (4.0 - 6.9) eingestuft. Es ist anzumerken, dass der CVSS keines Wegs perfekt ist und definitiv berechtigte Kritik daran existiert. Nichtsdestotrotz lässt es sich damit zumindest ein wenig quantifizieren. Generell kann ja nichts passieren wenn man nicht mit shitcoins hantiert oder der Rechner nicht kompromittiert ist. Da es hier im Forum jedoch genug Leute gibt, die für ein paar € alles tun.. würde es mich nicht wundern wenn deren Rechner infiziert wären. Solche Leute würden sich für 5 oder 10€ alles installieren.. Andererseits sind aber die meisten "Hacker" auch einfach nur verblödet. Wenn man sieht wie viele Leute mit einer clipping board hijacking Malware infiziert sind.. Das hätten auch Trojaner sein können, die dem Angreifer volle Kontrolle über den Rechner liefern.. aber es handelt sich hierbei nur um das Clipboard. Wegschließen muss man den Ledger definitiv nicht. Solange das Wallet das man verwendet nicht bösartig ist (i.e. Signatur verifiziert / Open source), läuft man keine Gefahr BTC zu verlieren. Sonst, einfach mal auf shitcoins traden verzichten  |
|
|
|
Your funds were sent to the mixer Wasabi wallet bc1qh6h8fxnldvm78gtpm00jjun5suwx2mn2jt7qm2 and commingled with 65 UTXOs--likely other victims. The funds were split into even transaction amounts--0.10791 BTC, with the exception of 1 output of 10.45923 BTC which was sent through the mixer again. There are hundreds of victims from what I can see.
Wasabi wallet is not a mixer. It is a wallet implementing Chaumian CoinJoin. Those other UTXO's you see, don't have to be other victims. This can be anyone queuing for a CoinJoin. There are always ~50+ people queuing for a CoinJoin. I'm not sure which hardware wallet you are using, but there is a clear exploit happening. You stated you made a mistake, saving the info--but I'd still contact the company and let them know what happened. They can't do anything, but you can raise their awareness and perhaps they can write a blog on how to protect private keys when using their wallet.
It was not an exploit. As OP has mentioned, the most likely thing what happened was that his mobile got compromised. And since he had a digital backup of his mnemonic code stored there, his funds got too. Contacting ledger won't help at all. They also don't really need to write a blog on how to protect private keys (rather: the mnemonic code since you don't actively get access to backup the private keys). There is a lot of information available here on the forum (and on the web) on how to properly store sensitive data like private keys and mnemonic codes. |
|
|
|
It says that you can earn $250/day by mining Bitcoin. You would buy a miner and it will mine Bitcoin.
It seems fake to me [...]
Your feeling is right. Almost all cloud mining companies are scams. And so is anything promising fixed or too high returns. There are tons of scams out there. If you don't have a large capital to get into mining as well as a location and cheap electricity, stay away form any form of mining. You are better off just buying BTC (maybe dollar cost averaging) and treat them like a long term investment. That's definitely the wiser decision. |
|
|
|
Sure, it depends. If user cut off TOR which is part of Tails off his privacy will suffer. In principle, even TOR being turned on won’t save if it’s in the hands of incompetent man. But OP didn't seem that and I guess he understands exactly what I’m saying.
"Just" using Tor doesn't make you anonymous at all. There are additional measures you have to take to properly hide your identity. It is not as trivial as you have made it sound in your last post: Yeah, Tails is good for broadcasting TRXs that are already signed because it is capable to hide your identity.
Well mrkfdr has installed it and asked the specific questions. I gave the straight up answers. It is not my fault that you got my answers in a wrong way.
Actually, he never asked about anonymity or hiding his identity. Just whether it makes sense using a bootable USB with Tails. And the answer to that is: It depends. It is usable, yes. It is slightly better (in terms of security) than an desktop wallet on his main OS, yes. But it does nothing for his privacy, no. |
|
|
|
You can not move bitcoin to a bank (FIAT). First, you need to sell them for your desired currency. You basically got two ways of converting BTC to FIAT: - Find someone to trade with
- Sell them on an exchange
Depending on where you are located, the one or other option is easier and more feasible. Which country are you from? |
|
|
|
You should never ever use a website (doesn't matter whether online of offline) to create a password for you. You got a few options to securely generate a password: - Use some pseudorandom characters you type yourself, or
- use a trusted and open source password manager, or
- use your OS's random number generator (easier with linux /dev/random than with windows)
And as i have mentioned in this post, length beats complexity. Rather choose a password which is a few chars longer, than a shorter one with a larger set of chars. |
|
|
|
When I first got this ledger, I have now remembered that I saved a photo of the seeds to my secure folder(mistake #1).
That's an important - and unfortunately a costly - lesson to learn. This seems the most plausible explanation. This is the only way I can see that they have accessed it. I've run anti virus etc on there but it's found nothing.
An AV is not guaranteed to find malware. Most of them are using signatures to find old and already known malware and some behavior analysis which - depending on the AV - can be circumvented by the malware relatively easy or with quite some work only. ok, thank you for that explanation. I always believed that when you chose your passcode, this effectively became the 25th seed word that is used to generate the private keys....so you need the card of 24 seed words + the secret passcode.
As o_e_l_e_o already mentioned, that exists. Unfortunately a lot of people are using a lot of different terms for that. It is (and should be called) a passphrase. This passphrase is used as a salt in the key derivation function, resulting in exactly what you have mentioned.
Dont listen to this legendary person, he is TOTALLY WRONG.
You sir, have no clue at all. Azorult and hydra takes screenshots, so whenever you wrote those words down, they might have been snap shot and sent to hackers.
Ye.. you just missed one important thing.. the mnemonic code never ever appear on the PC, neither do they need to be entered there. So, the next time you want to "correct" someone, take a look here and make use it. |
|
|
|
Does this makes sense? using Tails with Electrum on a bootable USB to store Bitcoins and retrieve them occasionally?
Depends on the context. It makes sense in terms of that it works. But it is by far not comparable to a hardware wallet regarding the security. As HCP mentioned, it is a trade off between usability and security. Yeah, Tails is good for broadcasting TRXs that are already signed because it is capable to hide your identity.
You are giving the impression that using tails is sufficient to preserve some degree of privacy. This is wrong. Tails itself is just a linux distro with some tools installed. They might help you to stay more anonymous than otherwise, but it mostly depends on the user behavior. Using electrum, you already reduce the degree of your privacy by a lot. Installing Tails and believing that this makes you somewhat anonymous, as you are saying, is not true and creates a false sense of anonymity. |
|
|
|
Part of my concern is that if I expose my private key for Bitcoin, then I am also exposing it for all the forkcoins. Although, sadly, there isn't that much in the wallet, so perhaps it is a small enough risk.
When sweeping an old (pre fork) private key, you usually want to start with BTC first anyway because it is the most valuable. Using electrum connected to your ledger should be fine. Start with BTC and follow up with the forked shit coins. You might want to run the shitcoin wallets in a VM tho. |
|
|
|
[...] then opened another legacy wallet on my first wallet and mistakenly i didn't record down Second seed for that, now i just changed my windows without having backup of my wallet and all my coins are gone...
How did you even access your wallet without writing down the mnemonic code? Electrum doesn't let you use your wallet without verifying (entering) your mnemonic code. And what happened to the wallet file? Did you manually delete it? |
|
|
|
~snip~
Your post and situation is very confusing. The best probably would be to create a new thread in the technical support section and including all relevant information (e.g. what happend, what you tried, what results you got and obviously what kind of files you have now). Continuing in such an old thread will result in absolutely non-attentive people finding the thread having a new reply, and replying to the 2,5 year old OP. For example this inattentive user which mostly makes "meh" quality replies which in most cases don't help at all: ~quoting 2 year old post~
Did you try to dump the wallet or read the db manually with python? There are several scripts for this |
|
|
|
If the only place you stored your mnemonic code is indeed the card, then someone must had access to it. Just to confirm.. you generated the seed / mnemonic code yourself on the ledger, right ? And since then you never entered it anywhere ? If the answer to both questions is "yes", someone had access to the written mnemonic code.
Where do you keep your seed?
He answered that question already. Read the 2nd post from OP in this topic. You might also check your system for keyloggers like azorult or hydra ( usually embedded with pirates games in torrents)
Not relevant if he is using a hardware wallet and never entered the menmonic on his PC. And if he did, it doesn't necessarily have to be a keylogger, but basically any other kind of malware. |
|
|
|
|
Die Blockchain muss schon (zumindest teilweise) aktualisiert werden.
Konkreter, müssen alle Blöcke bis (inklusive) zu dem Block in dem du deine letzte Transaktion erhalten hast, heruntergeladen werden.
Hattest du die bereits heruntergeladenen Blöcke gelöscht?
Falls nicht, kannst du ja auch das alte data directory verwenden. So musst du immerhin nicht von ganz vorne synchronisieren.
Wenn es dir auch nur darum geht, deine Coins zu versenden, kannst du dir auch ein andere Wallet herunterladen und die Private Keys dort importieren.
Damit sparst du dir Zeit und Speicherplatz.
|
|
|
|
Für die Zukunft: Anstatt ein altes Backup benutzen zu müssen und stattdessen die Transaktion mithilfe von zapwallettxes unter Windows zu entfernen: - Command line öffnen (WIN + R -> dann cmd eingeben)
- Core mit --zapwallettxes=1 starten:
C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe --zapwallettxes=1
Hierbei deinen korrekten Pfad zur .exe eintragen. |
|
|
|
I see these things differently. You and me have already discussed all relevant stuff and I think there is no use to start our dispute again here. You stayed with own opinion but me with mine.
As much as i value your opinion, this has nothing to do with point of view. It is about terminology. People refer to the internet as "the web" all the time. Even if that is their opinion, it is simply wrong and doesn't make it right. Same applies to wallets. If you use the most commonly used taxonomy - storage of private keys - you either have online wallets (e.g. software-, web- or browser-based wallets) or cold-/offline wallets (paper wallets, air-gapped setups) and depending on the PoV "hybrid" ones (e.g. hardware wallets, which is quite controversial where they belong to). You know even Ledger is not a pure hardware wallet. It has some embedded software (like OS for example) which allows it to operate.
Wait.. are you really trying to argue that hardware needs software to be usable? |
|
|
|
I guess you meant "cold" wallet sitting on air-gapped device that was never been online and in the future will never go online.
There is no difference between an offline- and a cold wallet. "Offline" does not only refer to the internet, but to any communication interface (wifi, bluetooth, ..). Therefore each cold wallet is indeed an offline wallet and each offline wallet is a cold wallet. Some users are confused with two concept "off-line" device and "air-gapped" one and think if they turn off their WiFi or pulled Ethernet cable that would be enough.
And some users are confused with the concept of computers believing that it is some sort of magic machine. I don't see any relevance to that topic. If they simply just disconnect their internet connection, it doesn't make their online wallet an offline-/cold wallet. Just because their software is running on hardware, it also doesn't make their software wallet a hardware wallet.. |
|
|
|
Why closed source wallet is less trusted? Most of ordinary users can't ready the code.
If a software is open source and used by a huge userbase and maybe even developed by them, the chances that a malicious code snippet will be detected is quite high. Especially when talking about software updates. With a closed source software, you never know what the software actually is doing and what every "bug fix"- or "feature" update accomplishes. You shouldn't trust software just because it is open source. But IMO this is an necessary prerequisite for a trustworthy software. |
|
|
|
A transaction gets stuck when it's been broadcasted (has to be signed) but didn't confirm yet... generally because of low fees.
Here, the transaction is saved locally on your wallet and this doesn't prevent you from using the same UTXOs to create a new one.
It looks like this added new feature to Electrum 4.0.2 to save transactions locally and show them as pending is a little bit confusing.
Why should the TX be marked as offline if it has been broadcasted and also received by nodes resulting in the TX being in their mempool ? This doesn't make much sense to me. If this truly is the case, that's more of a bug, not a feature. |
|
|
|
It's hard to calculate your transaction fee, but there are wallets that allows you to configure your transaction.
Actually it is not that hard. You just need to know where to gather the relevant information from and how to interpret it. I like looking at the 2 hour graph on http://core.jochen-hoenicke.de/queue/#0,2h. Precisely, the 3rd one called "Mempool size in MB":  The table at the right shows you the size of transactions with a specific fee in the mempool. If a block is found the second you are looking at it, each transaction with a fee corresponding to the size of less than 1 MB will most likely be included. Since you can't be sure that a block is found within a few seconds, you should chose a slightly higher fee for a guaranteed confirmation in the next block. If you don't need the TX to be confirmed fast, chose a lower fee. In the example above, a fee of 6-8 sat/B will most likely get your transaction included in the next block. |
|
|
|
Starting my day off dripping sweat thinking I threw away some $100CAD in btc.
You can't really "throw away" BTC. What you can do is to send them to a wrong address (not just a typo, but a different address). But you can not just "lose" your BTC in terms of they have not been sent anywhere but are no longer assigned to your public key. If you keep your mnemonic code secure and check the address you are sending to, you won't accidentally lose BTC. |
|
|
|
|
Show Posts
